WO2011045723A1 - Ciphertext-policy attribute-based encryption and re-encryption - Google Patents

Ciphertext-policy attribute-based encryption and re-encryption Download PDF

Info

Publication number
WO2011045723A1
WO2011045723A1 PCT/IB2010/054581 IB2010054581W WO2011045723A1 WO 2011045723 A1 WO2011045723 A1 WO 2011045723A1 IB 2010054581 W IB2010054581 W IB 2010054581W WO 2011045723 A1 WO2011045723 A1 WO 2011045723A1
Authority
WO
WIPO (PCT)
Prior art keywords
ciphertext
access policy
encryption key
encryption
policy
Prior art date
Application number
PCT/IB2010/054581
Other languages
French (fr)
Inventor
Muhammad Asim
Luan Ibraimi
Milan Petkovic
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2011045723A1 publication Critical patent/WO2011045723A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0464Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • the invention relates to ciphertext-policy attribute-based encryption.
  • the invention also relates to re-encrypting encrypted data.
  • a proxy re-encryption system allows a semi-trusted proxy to transform a ciphertext computed under, for example, Alice's public key into a ciphertext that can be decrypted by using, for example, Bob's secret key.
  • This system may work as follows: Alice or a trusted third party generates a re-encryption key and sets it in a semi-trusted proxy.
  • the semi-trusted proxy On receiving Alice's ciphertexts, the semi-trusted proxy transforms the ciphertext by running the re-encryption algorithm with the re-encryption key, and sends the transformed ciphertext to Bob.
  • Bob decrypts it with his secret key.
  • the proxy re-encryption system may be arranged to satisfy the following criteria: 1) a semi-trusted proxy alone cannot obtain the underlying plaintext, 2) Bob cannot obtain the underlying plaintext without the semi-trusted proxy cooperating, 3) ideally, the collusion of Bob and the semi-trusted proxy does not enable the semi-trusted proxy to construct Alice's secret key.
  • Ciphertext-Policy Attribute-Based Encryption (CP-ABE) schemes provide a solution by encrypting the data before storing it on an untrusted server according to an access policy "P" which enforces the access control cryptographically.
  • Alice can upload her sensitive health data to an un-trusted server.
  • a first aspect of the invention provides a system comprising a re-encrypter for cryptographically transforming a first ciphertext associated with a first access policy into a second ciphertext associated with a second access policy by means of a re-encryption key.
  • a delegator who has access to data according to the first access policy would desire to enable a delegatee to view the data.
  • the delegator could desire to delegate his task of evaluating the data to the delegatee.
  • the delegatee needs access to the data.
  • the attributes of the delegatee may not conform to the access policy with which the data was originally encrypted. Consequently, the decryption key, also referred to as secret key, of the delegatee does not allow the delegatee to decrypt the data.
  • the re-encrypter allows changing the access policy by re-encrypting the data.
  • the re-encryption is governed by a re-encryption key, it is not necessary to first decrypt the data before encrypting it with the second access policy. This way, the re-encrypter can generate the second ciphertext associated with the second access policy.
  • the re-encrypter can generate the second ciphertext associated with the second access policy.
  • a ciphertext associated with an access policy may be decrypted by means of a decryption key associated with an attribute set satisfying that access policy.
  • the ciphertext may only be decrypted by means of a decryption key associated with an attribute set satisfying that access policy, although it is possible to have exceptions, such as a master decryption key which can decrypt independent of policy and/or attributes.
  • any decryption key associated with an attribute set satisfying the access policy may be used to decrypt the message.
  • An attribute set is a set of one or more attributes.
  • the first ciphertext associated with the first access policy may be decrypted by means of a decryption key associated with an attribute set satisfying the first access policy
  • the second ciphertext associated with the second access policy may be decrypted by means of a decryption key associated with an attribute set satisfying the second access policy.
  • the system may comprise a re-encryption key generator for generating the re-encryption key, wherein the re-encryption key enables the re-encrypter to
  • the re-encryption key generator may be arranged to use the secret key of the delegator to generate the re-encryption key. This way, only the re-encryption key needs to be generated within the trusted environment of the delegator, whereas the potentially more computationally intensive task of cryptographically transforming the first ciphertext can be performed in a semi-trusted environment.
  • the re-encryption key may be associated with the first access policy via an attribute set which satisfies the first access policy. In such a case, the re-encryption key can be used to re-encrypt any ciphertext whose access policy is satisfied by that attribute set.
  • the re-encryption key generator may comprise a subsystem for encrypting a value derived from a pseudorandom number, thereby generating a further ciphertext associated with the second access policy.
  • the re-encryption key generator may be arranged for including a representation of the further ciphertext in the re-encryption key.
  • a secret (the pseudorandom number) can be communicated to a decrypter having a decryption key associated with a proper attribute set. This secret can be used as at least part of a key to decrypt a message.
  • the re-encrypter may be arranged for including in the second ciphertext a representation of the further ciphertext. This is a convenient way to convey the further ciphertext to the decrypter.
  • the re-encryption key generator may be arranged for including in the re-encryption key an at least partly obfuscated representation of part of a decryption key associated with an attribute set satisfying the first access policy. This can be used to create an efficient encryption scheme.
  • the re-encrypter may be arranged for bilinear pairing of at least part of the re-encryption key and at least part of the first ciphertext. This helps to create an efficient encryption scheme.
  • the system may comprise a decrypter for decrypting the second ciphertext by means of a decryption key associated with an attribute set satisfying the second access policy.
  • the decrypter performs the actual decryption of the transformed ciphertext.
  • the decrypter may comprise:
  • the system may further comprise:
  • a key generator for receiving a set of at least one attribute and outputting a decryption key associated with an attribute set comprising at least one attribute
  • an encrypter for generating the ciphertext associated with the first access policy, wherein the ciphertext comprises an encryption of a message and the ciphertext can be decrypted by means of a decryption key associated with an attribute set satisfying the first access policy.
  • the re-encryption key generator may be arranged for generating a re-encryption key (RK), wherein the re-encryption key (R ) enables a re-encrypter (9) to crypto graphically transform a first ciphertext (CTpi) associated with a first access policy (PI) into a second ciphertext (CT P2 ) associated with a second access policy (P2).
  • RK re-encryption key
  • PI first access policy
  • CT P2 second ciphertext associated with a second access policy
  • the system may be implemented in one or more workstations. At least one of these workstations may be a medical workstation.
  • a method of ciphertext-policy attribute-based re-encryption comprises cryptographically transforming a first ciphertext associated with a first access policy into a second ciphertext associated with a second access policy by means of a re-encryption key.
  • the method may be implemented in form of a computer program product comprising instructions for causing a processor system to perform the method.
  • Fig. 1 is a block diagram of an encryption system
  • Fig. 2 is a flow chart of an encryption method
  • Fig. 3 illustrates schematically an application of an encryption system.
  • CP-ABEPRE ciphertext-policy attribute-based proxy re-encryption
  • a semi-trusted proxy can translate an original ciphertext associated with an access policy "PI" to a new ciphertext associated with an access policy "P2", without being able to access the plain data.
  • the new ciphertext can be decrypted only by users who possess a secret key associated with a set of attributes which satisfy the associated policy "P2".
  • CP-ABEPRE may be useful in delegation scenarios or in scenarios where the owner of the data wishes to change the access control policy.
  • the exemplary system described herein has the advantage that even the collusion of the semi-trusted proxy and the delegatee cannot construct the secret key of the delegator. So, even if the proxy and the delegatee share their secret information, neither the proxy nor the delegatee can find out the secret key of the delegator.
  • the system can be used in a number of applications such as for access control over the network storage (e.g. personal health records), secure e-mail forwarding. Other applications of the system are also possible. From the description of the CP-ABE, it may be seen that these schemes provide advantages in certain domains where attribute-based access control is used. An example of such a domain is healthcare.
  • a user may want to delegate or allow access to sensitive data by another user with a different set of attributes (e.g. fitness coach, his/her subordinate, second opinion doctor), which other user is not allowed to view the data according to the original policy "PI".
  • the data owner may want to allow access for a second opinion to another doctor (Dr. Bob) from a second hospital.
  • Dr. Bob may have to change his/her consent policy to another policy "P2".
  • the patient data may be stored at an untrusted server, for example a third party digital HealthVault provider, and encrypted according to the policy "PI".
  • a patient who wants to enable access to data for Dr. Bob who is allowed to view the encrypted data according to the policy "P2" can compute a re-encryption key (Proxy Key) rk(Pl-P2) and send the key to the proxy which is maintained by the untrusted server.
  • the proxy using rk(Pl-P2), can transform all ciphertexts encrypted under the access policy "PI" to a ciphertext encrypted under the access policy "P2" without having access to the plain data.
  • Dr. Bob can use his key SK p2 to decrypt the data. Consequently, Dr. Bob can view the data and give a second opinion to the Patient, who can then ask his/her main physician for an additional examination.
  • Fig. 1 illustrates some aspects of an encryption system including a functionality of re-encryption.
  • the Figure only shows an example system. Other architectures and/or modifications are also contemplated. Some of the functional blocks of the example system may be implemented on separate devices which are used by different users of the system. It is also possible to implement the whole system on a single computer. Conversely, it is also possible to distribute the functionality of a single block over a plurality of devices.
  • the system may comprise several databases, for example a user database 10.
  • users may be listed by means of user IDs or demographic
  • the database 10 may store additional information for some or all of the users.
  • a user may be associated with a set of attributes ⁇ .
  • attributes may represent groups or categories to which the user belongs, or special privileges the user enjoys.
  • the system may further comprise a database 8 for storing encrypted data. These data may be encrypted according to an access policy.
  • the encrypted data, or ciphertext is then associated with that access policy.
  • Various chunks of encrypted data, or ciphertexts may be associated with different access policies. Consequently, it is possible to specify in detail which users have access to which data, by encrypting the data accordingly.
  • To decrypt a ciphertext which is associated with an access policy the user needs to have a secret key S o associated with a set of attributes ⁇ which are acceptable for the access policy.
  • the access policy prescribes which combination(s) of attributes are needed for decryption. To this end, the data is encrypted differently depending on the access policy.
  • the system further comprises one or more user environments 4.
  • user environments 4 In the Figure, only one user environment 4 is depicted, however, in practice there may be more user environments.
  • the user environment 4 may comprise secret keys and/or provide an environment for processing sensitive data.
  • the system may comprise a re-encrypter 9 for cryptographically transforming a first ciphertext CTpi associated with a first access policy PI into a second ciphertext CTp 2 associated with a second access policy P2 by means of a re-encryption key RK.
  • the re-encryption key RK may be provided from the user environment 4 to the re-encrypter 9.
  • the user environment 4 may send a control signal to the re-encrypter 9, indicating which ciphertext CT P i from the database 8 should be re-encrypted.
  • the re-encrypted, second ciphertext CTp 2 may be stored in the database 8 for retrieval by any other user environments 4 which possess a secret key S o associated with a set of attributes ⁇ satisfying the new access policy P2.
  • the re-encrypter 9 and/or the user environment 4 may be arranged for deleting the first ciphertext CTpi from the database 8.
  • a user interface may be provided for enabling a user to select whether or not to delete the first ciphertext.
  • the second access policy P2 also allows access by all sets of attributes that were allowed access by the first access policy PI. In such a case it would be superfluous to keep the first ciphertext CT P i.
  • the first ciphertext may be deleted from the database 8 after re-encryption.
  • the system may comprise a re-encryption key generator 7 which may be implemented within the user environment 4.
  • the re-encryption key generator 7 may be implemented in a trusted server.
  • the re-encryption generator 7 is arranged for generating a re-encryption key RK.
  • This re-encryption key RK contains the information which is necessary to cryptographically transform, or re-encrypt, the ciphertext. This way, the access policy associated with a ciphertext may be changed.
  • the re-encryption key RK may not comprise sufficient information to enable the re-encrypter 9 or a third party to decrypt the ciphertext into its plaintext data.
  • the re-encryption key RK may be provided to a re-encrypter 9, which may use the re-encryption key RK to cryptographically transform a first ciphertext CT P i associated with the first access policy PI into a second ciphertext CT P2 associated with the second access policy P2.
  • the re-encryption key RK may have a given set of attributes and a given access policy associated therewith and may provide sufficient information to cryptographically transform any ciphertext associated with any access policy satisfied by this given set of attributes into a ciphertext associated with this given access policy.
  • the re-encryption key generator 7 may comprise a subsystem for encrypting a value derived from a pseudorandom number.
  • the encrypted value constitutes a further ciphertext, which is associated with the second access policy P2. For example, a
  • pseudorandom number generator is provided; the pseudorandom number, or a value derived therefrom, may be encrypted under control of the re-encrypter 7 using encrypter 5.
  • the re-encryption key generator 7 may be arranged for including in the re-encryption key RK a representation of this further ciphertext. It is noted that the further ciphertext can only be decrypted using a secret key associated with an access policy satisfying the second access policy P2. Consequently, the re-encrypter 9 may not be able to decrypt the further ciphertext and hence may not know the pseudorandom number.
  • the re-encrypter 7 may be arranged for including in the second ciphertext CTp 2 a representation of the further ciphertext.
  • the users having a set of attributes satisfying the second access policy P2 are able to know the value or pseudorandom number.
  • the re-encryption key generator 7 may be arranged for including in the re-encryption key an at least partly obfuscated representation of part of a decryption key associated with an attribute set satisfying the first access policy. This part of the decryption key may be obfuscated by modifying it in dependence on the pseudorandom number.
  • the re-encrypter 9 may be arranged for bilinear pairing of at least part of the re-encryption key RK and at least part of the first ciphertext CPpi.
  • the system may comprise a decrypter 6.
  • the decrypter 6 may be arranged for decrypting a ciphertext from the database 8.
  • the decrypter 6 may use a secret key S o associated with a set of attributes ⁇ to decrypt a ciphertext CT P associated with an access policy P.
  • Such a decryption may only work if the set of attributes ⁇ satisfies the access policy P associated with the ciphertext CTp.
  • the decrypter 6 may be able to decrypt the ciphertext CT P2 which is the result of re-encryption by the re-encrypter 9.
  • the decrypter 6 may comprise several subsystems.
  • it may comprise a subsystem for extracting the further ciphertext from the second ciphertext CTp 2 ; a subsystem for decrypting the further ciphertext by means of the decryption key SI o to obtain the value derived from the pseudorandom number; a subsystem for decrypting the plaintext stored in the second ciphertext based on the value.
  • the system may comprise a key generator 3 for receiving a set ⁇ of at least one attribute and outputting a decryption key or secret key SI o associated with an attribute set ⁇ comprising at least one attribute.
  • This secret key SK « may be provided to a user environment 4 for use by a decrypter 6 and/or a re-encryption key generator 7.
  • the system may further comprise a user manager 2 connected to the user database 10.
  • the user manager 2 may be used to enter new users into the system and/or give a set of attributes to a user.
  • the user manager 2 may be arranged for providing a set of attributes ⁇ to the key generator 3 to produce an associated secret key SK ⁇ .
  • the user manager 2 may comprise a user interface to enable a privileged user to operate the user manager.
  • the system may further comprise an encrypter 5.
  • This encrypter 5 may be part of a user environment 4, although this is not necessary. In particular, it may not be necessary to have a secret key SK « , to perform encryption operations, as these may be performed using a public key PK.
  • the encrypter 5 may be used for generating a ciphertext CTp associated with an access policy P.
  • the resulting ciphertext CTp may comprise an encryption of a message and can be decrypted by means of a decryption key SK « , associated with an attribute set ⁇ satisfying the access policy P.
  • a ciphertext CT P i thus generated and associated with a first access policy PI can be changed into a second ciphertext CT P2 associated with a second access policy P2, by means of the re-encrypter 9 and re-encryption key generator 7.
  • At least part of the system described may be implemented on a computer workstation, for example a medical workstation. This may be implemented by means of a computer program.
  • Fig. 2 shows a flow chart illustrating a method of ciphertext-policy attribute- based data re-encryption.
  • suitable components of the system illustrated in Fig. 1 may be used.
  • step 21 data is encrypted according to a first access policy. This step may result in a first ciphertext associated with the first access policy.
  • step 22 it is considered if the access policy needs to be changed. If so, in step 27, the first ciphertext is cryptographically transformed into a second ciphertext associated with a second access policy. This is done by means of a re-encryption key which may be provided by a user. After re-encryption, the method returns to step 22 to consider if the access policy needs to be changed again.
  • step 23 it is considered if the ciphertext needs to be decrypted. If so, in step 24 it is checked whether a secret key associated with a set of attributes satisfying the access policy of the ciphertext is available. This access policy associated with the ciphertext can be the first access policy or the second access policy, for example. If the necessary secret key is available, the secret key is used to decrypt the ciphertext in step 25. After that the process terminates in step 26. However, the process can also return to step 22 for example, to enable other users to decrypt the data or to change the access policy (again).
  • step 23 If the ciphertext does not need to be decrypted in step 23, the method may return to step 22. If the needed secret key is not available in step 24, an error signal is produced and the process may terminate in step 28 or return to step 22.
  • the method or parts thereof may be implemented as one or more computer programs.
  • a CP-ABE scheme may comprise four main algorithms which may be executed by different actors in the system.
  • An example system has been described with reference to Fig. 1 and Fig. 2.
  • Decrypt may be distinguished, wherein KeyGen stands for key generation.
  • the CP-ABPRE scheme may extend CP-ABE schemes by adding a proxy component to the existing actors of CP-ABE (which include a trusted authority (TA) and users) and the algorithms RKGen and Re-Encrypt, wherein RKGen stands for re-encryption key generation.
  • TA trusted authority
  • -Setup() run by the trusted authority (TA), the algorithm on input of a security parameter, outputs a master secret key "MK” which may be kept private, and the master public key "PK” which may be distributed to users.
  • TA trusted authority
  • MK master secret key
  • PK master public key
  • -KeyGen ( ⁇ , MK): run by the trusted authority (TA), the algorithm may take as input a set of attributes ⁇ which represent properties of a user, and the master secret key MK, and it may output a user secret key sk a , associated with the set of attributes ⁇ .
  • a user secret key sk a may be used later on for decrypting ciphertexts which have an access policy which is satisfied by the set of attributes ⁇ .
  • the algorithm may take as input a message "m” to be encrypted, an access policy PI, and the master public key "PK”.
  • the access policy PI prescribes which combination of attributes the decrypter needs to have in order to be allowed access to "m”.
  • the algorithm may output the ciphertext "c p i ".
  • this algorithm may take as input the secret key sk a , and the access policies (P1,P2) and may output a unidirectional re-encryption key rk(Pl-P2) if sk a satisfies PI, or an error symbol (or, alternatively, an unusable re-encryption key) if ⁇ does not satisfy PI .
  • this algorithm may take as input the ciphertext "c p i" associated with the access policy PI, and the re-encryption key rk(Pl-P2), and may output the ciphertext "c P 2" associated with the access policy P2.
  • i may be 1 or 2.
  • RKGen may comprise the step of selection of random values
  • RKGen may comprise the step of generating a random value, i.e. g 1 .
  • RKGen may comprise the step of modifying the secret key (of delegator) associated with the attribute set that satisfies the first access policy by multiplying it with g ' .
  • RKGen may comprise the step of re-arranging the secret key (of delegator) associated with the attribute set that satisfies the first access policy for inclusion in the re-encryption key.
  • RKGen may comprise generating a random component for inclusion in the re-encryption key.
  • RKGen may comprise deriving a pseudorandom number that is encrypted from a value generated during the setup phase based on a random number "f from Z p , wherein this random number "f is part of a Master Secret Key MK.
  • Re-Encrypt may comprise the step of bilinear pairing of from the re-encryption key and from the first ciphertext to generate P
  • Re-Encrypt may comprise the step of bilinear pairing of D (V > from the re-encryption key and from the first ciphertext and multiplication of the resultant value with P- 1 to generate PK
  • Re-Encrypt may comprise the step of division of from the first ciphertext by the output P- 1 to generate PK
  • PK Re-Encrypt may comprise the step of bilinear pairing of from the re-encryption key and ⁇ of the first ciphertext and multiplication of the resultant value with output P- 1 to generate ( 2) .
  • Re-Encrypt may comprise the step of rearrangement of the values for the output as second ciphertext, i.e. (C ( D, C(2 ) , C (3) ) The symbols used in this paragraph are explained hereinafter.
  • a drawback of this approach is that the server may gain access to the plain data and to the secret key of Alice. Consequently, the server should be a trusted entity. In practice, the server might not be trusted.
  • Alice could perform by herself the re-encryption process by downloading the ciphertexts, decrypting the ciphertexts using her keys that correspond to PI and re-encrypting the data according to P2.
  • the main disadvantage of this approach is that Alice has to be involved in each re-encryption. In both of these approaches, the process is also computationally intensive as the data is first decrypted and then encrypted again.
  • a ciphertext-policy attribute-based proxy re-encryption scheme may support efficient outsourced policy updates. It allows a proxy maintained by an untrusted server (or untrusted system) to transform a ciphertext associated with an access policy "PI" into a ciphertext associated with an access policy "P2". In this transformation process, the untrusted server (or system or proxy) does not get access to the plain data.
  • a ciphertext-policy attribute-based proxy re-encryption scheme may be useful for the dynamic environments where a person wants to delegate the access rights to a second person (delegate) related to a data encrypted according to the access policy PI, where the delegate is only allowed to view the data encrypted according to an access policy P2.
  • a ciphertext-policy attribute-based proxy re-encryption scheme may be useful for the dynamic environments where the access policy is changed frequently, e.g. in the healthcare domain, a patient may want to enable access for another doctor (e.g. Dr. Bob), or another category of healthcare professionals, in order to get a second opinion.
  • a ciphertext-policy attribute-based proxy re-encryption scheme may support multiuser decryption and multiuser delegation.
  • Fig. 3 shows an example of an architecture of an encryption system.
  • the Internet may be used as a means of communication.
  • the general practitioner (GP) 34 from the Hospital 1 downloads the encrypted data from the un-trusted storage server 31 , as indicated by arrow 42, and decrypts them locally. Note that besides the owner of the data (i.e., the Patient himself), only users who have the attributes GP and Hospital 1 can decrypt the ciphertext.
  • the re-encryption key rk(Pl-P2) may be sent to a re-encryption key storage server 32, as indicated by arrow 43.
  • the proxy 33 upon receiving the re-encryption key from the patient and original ciphertext associated with PI from the server, may re-encrypt the ciphertext associated with "PI" into a ciphertext associated with "P2" using the re-encryption key rk(Pl-P2). This is depicted with arrows 44 and 45. Note that in practice the semi-trusted proxy 33 could also be integrated in the re-encryption key storage server 32. After the re-encryption, the GP 35 from Hospital 2 can decrypt the data using his/her secret key, as depicted by arrow 46.
  • This example scheme comprises a number of algorithms which may be implemented on computer servers, for example using a computer program which implements the algorithm. Some of these algorithms may be omitted or implemented only partly, as appropriate. Moreover, different algorithms may be arranged to be executed on different computer devices. It is also possible to distribute the operations involved in a single algorithm over a plurality of devices and/or processors.
  • the algorithms described below include a setup algorithm, a key generation algorithm, an encryption algorithm, a re-encryption key generator (R Gen), a re-encryption algorithm, and a decryption algorithm. Modifications of these algorithms are possible, the specific examples described below are not limiting.
  • the setup algorithm selects a bilinear group G 0 of prime order p and generator g , and a bilinear map e : G 0 xG 0 — » G L .
  • the master secret key consists of the following components:
  • ( ⁇ , ⁇ , , ⁇ . ⁇ ).
  • the key generation algorithm takes as input the master secret key MK and an attribute set CO , wherein (fl c O . For each user the algorithm picks at random r e Z f and computes a secret key SK ffl which comprises the following components:
  • Encryption(m, p l , PK) To encrypt a message m e G l , under the access policy p l over the set of available attributes ⁇ , the encryption algorithm picks a random value s e Z p , and assigns s t values (which are shares of s ) to attributes in p l in the following fashion:
  • the encrypter transforms the access policy into an access tree where the interior nodes represent AND or OR boolean operators, and leaf nodes represent the actual attributes appearing in the policy.
  • the policy may have the form of an expression including AND and/or OR operators, to indicate valid combinations of attributes which are sufficient to be allowed access.
  • the resulting ciphertext may comprise the following components:
  • RKGen(SK ffl , p p 2 , PK) The algorithm outputs a re-encryption key which is used by the re-encryption algorithm to transform the ciphertext associated with p l into a ciphertext associated with p 2 .
  • the algorithm first parses , picks at
  • the algorithm outputs the re-encrypted ciphertext, which may comprise the following components:
  • Decryption( , SK ) The decryption algorithm takes as input the ciphertext C and decryption key SK . It checks if the secret key SK associated with the attribute set i
  • CO satisfies the access policy p t . If not, it may output an error symbol _L , or unusable output. If CO satisfies the access policy p t and C is a regular (not re-encrypted) ciphertext, then the i
  • decryption algorithm performs the following:
  • the algorithm chooses the smallest subset which satisfies the access policy p t and parses , and SK m as
  • the message is obtained by computing
  • the decryption algorithm performs the following:
  • the invention also applies to computer programs, particularly computer programs on or in a carrier, adapted to put the invention into practice.
  • the program may be in the form of a source code, an object code, a code intermediate source and object code such as in a partially compiled form, or in any other form suitable for use in the implementation of the method according to the invention.
  • a program may have many different architectural designs.
  • a program code implementing the functionality of the method or system according to the invention may be sub-divided into one or more sub-routines. Many different ways of distributing the functionality among these sub-routines will be apparent to the skilled person.
  • sub-routines may be stored together in one executable file to form a self-contained program.
  • Such an executable file may comprise computer-executable instructions, for example, processor instructions and/or interpreter instructions (e.g. Java interpreter instructions).
  • one or more or all of the sub-routines may be stored in at least one external library file and linked with a main program either statically or dynamically, e.g. at run-time.
  • the main program contains at least one call to at least one of the sub-routines.
  • the sub-routines may also comprise function calls to each other.
  • An embodiment relating to a computer program product comprises computer-executable instructions corresponding to each processing step of at least one of the methods set forth herein.
  • These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically.
  • Another embodiment relating to a computer program product comprises computer-executable instructions corresponding to each means of at least one of the systems and/or products set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically.
  • the carrier of a computer program may be any entity or device capable of carrying the program.
  • the carrier may include a storage medium, such as a ROM, for example, a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example, a floppy disc or a hard disk.
  • the carrier may be a transmissible carrier such as an electric or optical signal, which may be conveyed via electric or optical cable or by radio or other means.
  • the carrier may be constituted by such a cable or other device or means.
  • the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted to perform, or used in the performance of, the relevant method.

Abstract

A ciphertext-policy attribute-based encryption system, comprising a re-encrypter (9) for cryptographically transforming a first ciphertext (CTp1) associated with a first access policy (P1) into a second ciphertext (CTP2) associated with a second access policy (P2) by means of a re-encryption key (RK). The system further comprises a re-encryption key generator (7) for generating the re-encryption key (RK), wherein the re-encryption key (RK) enables the re-encrypter (9) to cryptographically transform the first ciphertext (CTP1) associated with the first access policy (P1) into the second ciphertext (CTP2) associated with the second access policy (P2). Said re-encryption key generator (7) comprises a subsystem for encrypting a value derived from a pseudorandom number, thereby generating a further ciphertext associated with the second access policy (P2).

Description

Ciphertext-policy attribute-based encryption and re-encryption
FIELD OF THE INVENTION
The invention relates to ciphertext-policy attribute-based encryption. The invention also relates to re-encrypting encrypted data. BACKGROUND OF THE INVENTION
A proxy re-encryption system allows a semi-trusted proxy to transform a ciphertext computed under, for example, Alice's public key into a ciphertext that can be decrypted by using, for example, Bob's secret key. This system may work as follows: Alice or a trusted third party generates a re-encryption key and sets it in a semi-trusted proxy. On receiving Alice's ciphertexts, the semi-trusted proxy transforms the ciphertext by running the re-encryption algorithm with the re-encryption key, and sends the transformed ciphertext to Bob. Bob decrypts it with his secret key. In this way, Alice delegates her decryption rights to Bob via the semi-trusted proxy, so Alice may be called a delegator and Bob may be called a delegatee. The proxy re-encryption system may be arranged to satisfy the following criteria: 1) a semi-trusted proxy alone cannot obtain the underlying plaintext, 2) Bob cannot obtain the underlying plaintext without the semi-trusted proxy cooperating, 3) ideally, the collusion of Bob and the semi-trusted proxy does not enable the semi-trusted proxy to construct Alice's secret key.
In J. Bethencourt, A. Sahai, and B. Waters, "Ciphertext-Policy Attribute- Based Encryption", Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 321-334, 2007, a message is encrypted according to an access policy "P" over some descriptive attributes, while a user secret key ska, is associated with a set of attributes ω. The decrypter can decrypt the ciphertext if the set of attributes ω associated with the secret key skco satisfies the access policy "P" associated with the ciphertext. In many situations, when a user encrypts the data, it is desirable that the user is able to establish a specific access control policy on who can decrypt this data. Traditionally, this type of expressive access control is enforced by employing a trusted server. The server is entrusted as a reference monitor that checks that a user presents proper certification before allowing him to access records or files. However, in some situations, the server might not be completely trusted. For this reason, sensitive data may be stored in an encrypted form so that it remains private even if a server is compromised. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) schemes provide a solution by encrypting the data before storing it on an untrusted server according to an access policy "P" which enforces the access control cryptographically.
For instance, Alice can upload her sensitive health data to an un-trusted server.
Before uploading, the data may be encrypted according to the access policy P = (physician OR nurse), where "physician" and "nurse" are the attributes of the users who are allowed to view Alice's data. This means that only users who have at least one of the attributes
"physician" or "nurse" are able to decrypt and view Alice's data with their secret key. If Alice's physician wants to view Alice's data, he downloads the data to his PC and decrypts the data using his secret key ska, associated with the attribute "physician". However, more flexible CP-ABE schemes could be desirable.
SUMMARY OF THE INVENTION
It would be advantageous to have an improved ciphertext-policy attribute- based encryption system (CP- ABE). To better address this concern, a first aspect of the invention provides a system comprising a re-encrypter for cryptographically transforming a first ciphertext associated with a first access policy into a second ciphertext associated with a second access policy by means of a re-encryption key.
In some cases, a delegator who has access to data according to the first access policy would desire to enable a delegatee to view the data. For example, the delegator could desire to delegate his task of evaluating the data to the delegatee. In such a case the delegatee needs access to the data. However, the attributes of the delegatee may not conform to the access policy with which the data was originally encrypted. Consequently, the decryption key, also referred to as secret key, of the delegatee does not allow the delegatee to decrypt the data. The re-encrypter allows changing the access policy by re-encrypting the data. Since the re-encryption is governed by a re-encryption key, it is not necessary to first decrypt the data before encrypting it with the second access policy. This way, the re-encrypter can generate the second ciphertext associated with the second access policy. However, as the
re-encrypter does not have the decryption key, it cannot decrypt either the first or the second ciphertext. Consequently, the re-encrypter cannot gain access to the plaintext. This allows the re-encrypter to be implemented on a semi-trusted server or proxy. Consequently, the re-encryption does not have to be performed within the trusted environment of the delegator. A ciphertext associated with an access policy may be decrypted by means of a decryption key associated with an attribute set satisfying that access policy. In principle, the ciphertext may only be decrypted by means of a decryption key associated with an attribute set satisfying that access policy, although it is possible to have exceptions, such as a master decryption key which can decrypt independent of policy and/or attributes. However, any decryption key associated with an attribute set satisfying the access policy may be used to decrypt the message. An attribute set is a set of one or more attributes. The first ciphertext associated with the first access policy may be decrypted by means of a decryption key associated with an attribute set satisfying the first access policy, whereas the second ciphertext associated with the second access policy may be decrypted by means of a decryption key associated with an attribute set satisfying the second access policy.
The system may comprise a re-encryption key generator for generating the re-encryption key, wherein the re-encryption key enables the re-encrypter to
cryptographically transform the first ciphertext associated with the first access policy into the second ciphertext associated with the second access policy. The re-encryption key generator may be arranged to use the secret key of the delegator to generate the re-encryption key. This way, only the re-encryption key needs to be generated within the trusted environment of the delegator, whereas the potentially more computationally intensive task of cryptographically transforming the first ciphertext can be performed in a semi-trusted environment. The re-encryption key may be associated with the first access policy via an attribute set which satisfies the first access policy. In such a case, the re-encryption key can be used to re-encrypt any ciphertext whose access policy is satisfied by that attribute set.
The re-encryption key generator may comprise a subsystem for encrypting a value derived from a pseudorandom number, thereby generating a further ciphertext associated with the second access policy. The re-encryption key generator may be arranged for including a representation of the further ciphertext in the re-encryption key. Using the further ciphertext, a secret (the pseudorandom number) can be communicated to a decrypter having a decryption key associated with a proper attribute set. This secret can be used as at least part of a key to decrypt a message.
The re-encrypter may be arranged for including in the second ciphertext a representation of the further ciphertext. This is a convenient way to convey the further ciphertext to the decrypter.
The re-encryption key generator may be arranged for including in the re-encryption key an at least partly obfuscated representation of part of a decryption key associated with an attribute set satisfying the first access policy. This can be used to create an efficient encryption scheme.
The re-encrypter may be arranged for bilinear pairing of at least part of the re-encryption key and at least part of the first ciphertext. This helps to create an efficient encryption scheme.
The system may comprise a decrypter for decrypting the second ciphertext by means of a decryption key associated with an attribute set satisfying the second access policy. The decrypter performs the actual decryption of the transformed ciphertext.
The decrypter may comprise:
a subsystem for extracting the further ciphertext from the second ciphertext; a subsystem for decrypting the further ciphertext by means of the decryption key to obtain the value; and/or
a subsystem for decrypting the message stored in the second ciphertext based on the value.
This helps to make the system efficient and/or secure.
The system may further comprise:
a key generator for receiving a set of at least one attribute and outputting a decryption key associated with an attribute set comprising at least one attribute; and/or
an encrypter for generating the ciphertext associated with the first access policy, wherein the ciphertext comprises an encryption of a message and the ciphertext can be decrypted by means of a decryption key associated with an attribute set satisfying the first access policy.
These system parts are useful for key generation and encryption, respectively.
Another aspect of the invention provides a re-encryption key generator for use in the system set forth. The re-encryption key generator may be arranged for generating a re-encryption key (RK), wherein the re-encryption key (R ) enables a re-encrypter (9) to crypto graphically transform a first ciphertext (CTpi) associated with a first access policy (PI) into a second ciphertext (CTP2) associated with a second access policy (P2).
The system may be implemented in one or more workstations. At least one of these workstations may be a medical workstation.
A method of ciphertext-policy attribute-based re-encryption comprises cryptographically transforming a first ciphertext associated with a first access policy into a second ciphertext associated with a second access policy by means of a re-encryption key. The method may be implemented in form of a computer program product comprising instructions for causing a processor system to perform the method.
It will be appreciated by those skilled in the art that two or more of the above- mentioned embodiments, implementations, and/or aspects of the invention may be combined in any way deemed useful.
Modifications and variations of the image acquisition apparatus, the workstation, the system, and/or the computer program product, which correspond to the described modifications and variations of the system, can be carried out by a person skilled in the art on the basis of the present description.
BRIEF DESCRIPTION OF THE DRAWINGS
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter. In the drawings,
Fig. 1 is a block diagram of an encryption system;
Fig. 2 is a flow chart of an encryption method; and
Fig. 3 illustrates schematically an application of an encryption system.
DETAILED DESCRIPTION OF EMBODIMENTS
In this description, an example of a ciphertext-policy attribute-based proxy re-encryption (CP-ABEPRE) is described. However, modifications and alternative embodiments of the example given are within reach of the skilled person. In the exemplary system, a semi-trusted proxy can translate an original ciphertext associated with an access policy "PI" to a new ciphertext associated with an access policy "P2", without being able to access the plain data. The new ciphertext can be decrypted only by users who possess a secret key associated with a set of attributes which satisfy the associated policy "P2". CP-ABEPRE may be useful in delegation scenarios or in scenarios where the owner of the data wishes to change the access control policy. The exemplary system described herein has the advantage that even the collusion of the semi-trusted proxy and the delegatee cannot construct the secret key of the delegator. So, even if the proxy and the delegatee share their secret information, neither the proxy nor the delegatee can find out the secret key of the delegator. However, this is not a limitation. The system can be used in a number of applications such as for access control over the network storage (e.g. personal health records), secure e-mail forwarding. Other applications of the system are also possible. From the description of the CP-ABE, it may be seen that these schemes provide advantages in certain domains where attribute-based access control is used. An example of such a domain is healthcare. However, in practice, there are scenarios where a user may want to delegate or allow access to sensitive data by another user with a different set of attributes (e.g. fitness coach, his/her subordinate, second opinion doctor), which other user is not allowed to view the data according to the original policy "PI". For example, in a scenario from the domain of healthcare, the data owner (patient) may want to allow access for a second opinion to another doctor (Dr. Bob) from a second hospital. To enable such consultation, the patient may have to change his/her consent policy to another policy "P2". The patient data may be stored at an untrusted server, for example a third party digital HealthVault provider, and encrypted according to the policy "PI". Using a CP-ABPRE scheme, a patient who wants to enable access to data for Dr. Bob, who is allowed to view the encrypted data according to the policy "P2", can compute a re-encryption key (Proxy Key) rk(Pl-P2) and send the key to the proxy which is maintained by the untrusted server. The proxy, using rk(Pl-P2), can transform all ciphertexts encrypted under the access policy "PI" to a ciphertext encrypted under the access policy "P2" without having access to the plain data. After that, Dr. Bob can use his key SKp2 to decrypt the data. Consequently, Dr. Bob can view the data and give a second opinion to the Patient, who can then ask his/her main physician for an additional examination.
Fig. 1 illustrates some aspects of an encryption system including a functionality of re-encryption. The Figure only shows an example system. Other architectures and/or modifications are also contemplated. Some of the functional blocks of the example system may be implemented on separate devices which are used by different users of the system. It is also possible to implement the whole system on a single computer. Conversely, it is also possible to distribute the functionality of a single block over a plurality of devices.
The system may comprise several databases, for example a user database 10. In such a user database, users may be listed by means of user IDs or demographic
information, for example. Moreover, the database 10 may store additional information for some or all of the users. For example, a user may be associated with a set of attributes ω. Such attributes may represent groups or categories to which the user belongs, or special privileges the user enjoys.
The system may further comprise a database 8 for storing encrypted data. These data may be encrypted according to an access policy. The encrypted data, or ciphertext, is then associated with that access policy. Various chunks of encrypted data, or ciphertexts, may be associated with different access policies. Consequently, it is possible to specify in detail which users have access to which data, by encrypting the data accordingly. To decrypt a ciphertext which is associated with an access policy, the user needs to have a secret key S o associated with a set of attributes ω which are acceptable for the access policy. The access policy prescribes which combination(s) of attributes are needed for decryption. To this end, the data is encrypted differently depending on the access policy.
The system further comprises one or more user environments 4. In the Figure, only one user environment 4 is depicted, however, in practice there may be more user environments. The user environment 4 may comprise secret keys and/or provide an environment for processing sensitive data.
The system may comprise a re-encrypter 9 for cryptographically transforming a first ciphertext CTpi associated with a first access policy PI into a second ciphertext CTp2 associated with a second access policy P2 by means of a re-encryption key RK. The re-encryption key RK may be provided from the user environment 4 to the re-encrypter 9. Moreover, the user environment 4 may send a control signal to the re-encrypter 9, indicating which ciphertext CTPi from the database 8 should be re-encrypted. The re-encrypted, second ciphertext CTp2 may be stored in the database 8 for retrieval by any other user environments 4 which possess a secret key S o associated with a set of attributes ω satisfying the new access policy P2. Optionally, the re-encrypter 9 and/or the user environment 4 may be arranged for deleting the first ciphertext CTpi from the database 8. A user interface may be provided for enabling a user to select whether or not to delete the first ciphertext. However, it is possible that the second access policy P2 also allows access by all sets of attributes that were allowed access by the first access policy PI. In such a case it would be superfluous to keep the first ciphertext CTPi. Also, to prevent any future access by users having a set of attributes satisfying the first access policy PI but not the second access policy P2, the first ciphertext may be deleted from the database 8 after re-encryption.
The system may comprise a re-encryption key generator 7 which may be implemented within the user environment 4. Alternatively, the re-encryption key generator 7 may be implemented in a trusted server. The re-encryption generator 7 is arranged for generating a re-encryption key RK. This re-encryption key RK contains the information which is necessary to cryptographically transform, or re-encrypt, the ciphertext. This way, the access policy associated with a ciphertext may be changed. However, the re-encryption key RK may not comprise sufficient information to enable the re-encrypter 9 or a third party to decrypt the ciphertext into its plaintext data. The re-encryption key RK may be provided to a re-encrypter 9, which may use the re-encryption key RK to cryptographically transform a first ciphertext CTPi associated with the first access policy PI into a second ciphertext CTP2 associated with the second access policy P2. The re-encryption key RK may have a given set of attributes and a given access policy associated therewith and may provide sufficient information to cryptographically transform any ciphertext associated with any access policy satisfied by this given set of attributes into a ciphertext associated with this given access policy.
The re-encryption key generator 7 may comprise a subsystem for encrypting a value derived from a pseudorandom number. The encrypted value constitutes a further ciphertext, which is associated with the second access policy P2. For example, a
pseudorandom number generator is provided; the pseudorandom number, or a value derived therefrom, may be encrypted under control of the re-encrypter 7 using encrypter 5. The re-encryption key generator 7 may be arranged for including in the re-encryption key RK a representation of this further ciphertext. It is noted that the further ciphertext can only be decrypted using a secret key associated with an access policy satisfying the second access policy P2. Consequently, the re-encrypter 9 may not be able to decrypt the further ciphertext and hence may not know the pseudorandom number. The re-encrypter 7 may be arranged for including in the second ciphertext CTp2 a representation of the further ciphertext.
Consequently, the users having a set of attributes satisfying the second access policy P2 are able to know the value or pseudorandom number.
The re-encryption key generator 7 may be arranged for including in the re-encryption key an at least partly obfuscated representation of part of a decryption key associated with an attribute set satisfying the first access policy. This part of the decryption key may be obfuscated by modifying it in dependence on the pseudorandom number.
The re-encrypter 9 may be arranged for bilinear pairing of at least part of the re-encryption key RK and at least part of the first ciphertext CPpi.
The system may comprise a decrypter 6. The decrypter 6 may be arranged for decrypting a ciphertext from the database 8. The decrypter 6 may use a secret key S o associated with a set of attributes ω to decrypt a ciphertext CTP associated with an access policy P. Such a decryption may only work if the set of attributes ω satisfies the access policy P associated with the ciphertext CTp. For example, if the set of attributes ω satisfies the second access policy P2, the decrypter 6 may be able to decrypt the ciphertext CTP2 which is the result of re-encryption by the re-encrypter 9. The decrypter 6 may comprise several subsystems. For example, it may comprise a subsystem for extracting the further ciphertext from the second ciphertext CTp2; a subsystem for decrypting the further ciphertext by means of the decryption key SI o to obtain the value derived from the pseudorandom number; a subsystem for decrypting the plaintext stored in the second ciphertext based on the value.
The system may comprise a key generator 3 for receiving a set ω of at least one attribute and outputting a decryption key or secret key SI o associated with an attribute set ω comprising at least one attribute. This secret key SK«, may be provided to a user environment 4 for use by a decrypter 6 and/or a re-encryption key generator 7.
The system may further comprise a user manager 2 connected to the user database 10. The user manager 2 may be used to enter new users into the system and/or give a set of attributes to a user. The user manager 2 may be arranged for providing a set of attributes ω to the key generator 3 to produce an associated secret key SK^. The user manager 2 may comprise a user interface to enable a privileged user to operate the user manager.
The system may further comprise an encrypter 5. This encrypter 5 may be part of a user environment 4, although this is not necessary. In particular, it may not be necessary to have a secret key SK«, to perform encryption operations, as these may be performed using a public key PK. The encrypter 5 may be used for generating a ciphertext CTp associated with an access policy P. The resulting ciphertext CTp may comprise an encryption of a message and can be decrypted by means of a decryption key SK«, associated with an attribute set ω satisfying the access policy P. A ciphertext CTPi thus generated and associated with a first access policy PI can be changed into a second ciphertext CTP2 associated with a second access policy P2, by means of the re-encrypter 9 and re-encryption key generator 7.
At least part of the system described may be implemented on a computer workstation, for example a medical workstation. This may be implemented by means of a computer program.
Fig. 2 shows a flow chart illustrating a method of ciphertext-policy attribute- based data re-encryption. To perform the method, suitable components of the system illustrated in Fig. 1 may be used. In step 21, data is encrypted according to a first access policy. This step may result in a first ciphertext associated with the first access policy. In step 22, it is considered if the access policy needs to be changed. If so, in step 27, the first ciphertext is cryptographically transformed into a second ciphertext associated with a second access policy. This is done by means of a re-encryption key which may be provided by a user. After re-encryption, the method returns to step 22 to consider if the access policy needs to be changed again. If the access policy does not need to be changed in step 22, the method proceeds to step 23. In step 23 it is considered if the ciphertext needs to be decrypted. If so, in step 24 it is checked whether a secret key associated with a set of attributes satisfying the access policy of the ciphertext is available. This access policy associated with the ciphertext can be the first access policy or the second access policy, for example. If the necessary secret key is available, the secret key is used to decrypt the ciphertext in step 25. After that the process terminates in step 26. However, the process can also return to step 22 for example, to enable other users to decrypt the data or to change the access policy (again). If the ciphertext does not need to be decrypted in step 23, the method may return to step 22. If the needed secret key is not available in step 24, an error signal is produced and the process may terminate in step 28 or return to step 22. The method or parts thereof may be implemented as one or more computer programs.
A CP-ABE scheme may comprise four main algorithms which may be executed by different actors in the system. An example system has been described with reference to Fig. 1 and Fig. 2. In particular, the algorithms Setup, KeyGen, Encrypt, and
Decrypt may be distinguished, wherein KeyGen stands for key generation. The CP-ABPRE scheme may extend CP-ABE schemes by adding a proxy component to the existing actors of CP-ABE (which include a trusted authority (TA) and users) and the algorithms RKGen and Re-Encrypt, wherein RKGen stands for re-encryption key generation.
-Setup(): run by the trusted authority (TA), the algorithm on input of a security parameter, outputs a master secret key "MK" which may be kept private, and the master public key "PK" which may be distributed to users.
-KeyGen (ω, MK): run by the trusted authority (TA), the algorithm may take as input a set of attributes ω which represent properties of a user, and the master secret key MK, and it may output a user secret key ska, associated with the set of attributes ω. Such a user secret key ska, may be used later on for decrypting ciphertexts which have an access policy which is satisfied by the set of attributes ω.
-Encrypt (m, PI, PK): run by the encrypter, the algorithm may take as input a message "m" to be encrypted, an access policy PI, and the master public key "PK". The access policy PI prescribes which combination of attributes the decrypter needs to have in order to be allowed access to "m". The algorithm may output the ciphertext "cpi ".
-RKGen ( sk^ PI , P2): run by the delegator, this algorithm may take as input the secret key ska, and the access policies (P1,P2) and may output a unidirectional re-encryption key rk(Pl-P2) if ska satisfies PI, or an error symbol (or, alternatively, an unusable re-encryption key) if ω does not satisfy PI .
-Re-Encrypt (cp, rk(Pl-P2)): run by the proxy (or re-encrypter), this algorithm may take as input the ciphertext "cpi" associated with the access policy PI, and the re-encryption key rk(Pl-P2), and may output the ciphertext "cP2" associated with the access policy P2.
-Decrypt (cpi, ska, ): run by the decrypter, the algorithm may take as input the ciphertext cpi and the secret key ska, , and may output a message m if the set of attributes ω satisfies the policy Pi, or an error symbol if ω does not satisfy Pi. Herein, i may be 1 or 2.
For example, RKGen may comprise the step of selection of random values
/, x ' from Zp such that fx '=x. RKGen may comprise the step of generating a random value, i.e. g1. RKGen may comprise the step of modifying the secret key (of delegator) associated with the attribute set that satisfies the first access policy by multiplying it with g '. RKGen may comprise the step of re-arranging the secret key (of delegator) associated with the attribute set that satisfies the first access policy for inclusion in the re-encryption key. RKGen may comprise generating a random component for inclusion in the re-encryption key. RKGen may comprise deriving a pseudorandom number that is encrypted from a value generated during the setup phase based on a random number "f from Zp, wherein this random number "f is part of a Master Secret Key MK.
For example, Re-Encrypt may comprise the step of bilinear pairing of from the re-encryption key and from the first ciphertext to generate P Re-Encrypt may comprise the step of bilinear pairing of D(V> from the re-encryption key and from the first ciphertext and multiplication of the resultant value with P-1 to generate PK Re-Encrypt may comprise the step of division of from the first ciphertext by the output P-1 to generate PK Re-Encrypt may comprise the step of bilinear pairing of from the re-encryption key and ^ of the first ciphertext and multiplication of the resultant value with output P-1 to generate (2). Re-Encrypt may comprise the step of rearrangement of the values for the output as second ciphertext, i.e. (C(D, C(2), C(3) ) The symbols used in this paragraph are explained hereinafter.
As mentioned before, in practice there are scenarios where a user would like to delegate his/her access rights to data to another user or may want to enable access for the users with some different set of attributes. For example, patient (Alice) may want to allow another user (e.g. Dr. Bob) who has a secret key ska, associated with attribute set co=(c, d) to access her files encrypted according to a policy, say Pl=(a AND b), where "a" and "b" are the attributes necessary to decrypt the message, and "c" and "d" are the attributes of the prospective user, Dr. Bob in this case. Therefore, Alice has to update Pl=(a AND b), where "a" and "b" are the attributes of the user, to another access policy say P2= (a AND b) OR (c AND d), which can be satisfied by Dr. Bob in this case. A straightforward approach to achieve this would be that Alice sends to the access control server her secret key skAiiCe which satisfies the access policy "PI". The access control server decrypts the encrypted data using skAiice and re-encrypts the data according to the new policy P2. After that, Dr. Bob would be able to decrypt the data using his secret key ska, associated with attribute set co=(c, d).
However, a drawback of this approach is that the server may gain access to the plain data and to the secret key of Alice. Consequently, the server should be a trusted entity. In practice, the server might not be trusted. To avoid this drawback, Alice could perform by herself the re-encryption process by downloading the ciphertexts, decrypting the ciphertexts using her keys that correspond to PI and re-encrypting the data according to P2. However, the main disadvantage of this approach is that Alice has to be involved in each re-encryption. In both of these approaches, the process is also computationally intensive as the data is first decrypted and then encrypted again.
Using a re-encryption key rk(Pl-P2), it is possible to enable a proxy to transform, using that key, ciphertext associated with the access policy PI into ciphertext associated with access policy P2, without having access to the plain data.
A ciphertext-policy attribute-based proxy re-encryption scheme may support efficient outsourced policy updates. It allows a proxy maintained by an untrusted server (or untrusted system) to transform a ciphertext associated with an access policy "PI" into a ciphertext associated with an access policy "P2". In this transformation process, the untrusted server (or system or proxy) does not get access to the plain data.
A ciphertext-policy attribute-based proxy re-encryption scheme may be useful for the dynamic environments where a person wants to delegate the access rights to a second person (delegate) related to a data encrypted according to the access policy PI, where the delegate is only allowed to view the data encrypted according to an access policy P2.
A ciphertext-policy attribute-based proxy re-encryption scheme may be useful for the dynamic environments where the access policy is changed frequently, e.g. in the healthcare domain, a patient may want to enable access for another doctor (e.g. Dr. Bob), or another category of healthcare professionals, in order to get a second opinion. A ciphertext-policy attribute-based proxy re-encryption scheme may support multiuser decryption and multiuser delegation.
Fig. 3 shows an example of an architecture of an encryption system. In the system, the data owner 30 (patient) encrypts the health data according to the access policy PI, say Pl= (GP AND Hospital 1) OR (Owner of data (Patient)), and uploads the encrypted data "cpi " to an untrusted storage server 31, as indicated by arrow 41. For example, the Internet may be used as a means of communication. The general practitioner (GP) 34 from the Hospital 1 downloads the encrypted data from the un-trusted storage server 31 , as indicated by arrow 42, and decrypts them locally. Note that besides the owner of the data (i.e., the Patient himself), only users who have the attributes GP and Hospital 1 can decrypt the ciphertext. The patient may want a second opinion from a GP 35 from Hospital 2, who is not allowed to view the data encrypted according to access policy Pl= [(GP AND Hospital 1) OR (Owner of data (Patient))]. Consequently, in order to enable access to patient's data for GP 35 from Hospital 2 for the purpose of second opinion, the data owner 30 may compute the re-encryption key rk(Pl-P2) that may be used by the semi-trusted proxy 33 to transform the ciphertext encrypted according to the policy Pl= [GP AND Hospital 1] into a ciphertext encrypted according to the policy P2= [GP AND (Hospital 1 OR Hospital 2) OR (Owner of data (Patient))]. The re-encryption key rk(Pl-P2) may be sent to a re-encryption key storage server 32, as indicated by arrow 43. The proxy 33, upon receiving the re-encryption key from the patient and original ciphertext associated with PI from the server, may re-encrypt the ciphertext associated with "PI" into a ciphertext associated with "P2" using the re-encryption key rk(Pl-P2). This is depicted with arrows 44 and 45. Note that in practice the semi-trusted proxy 33 could also be integrated in the re-encryption key storage server 32. After the re-encryption, the GP 35 from Hospital 2 can decrypt the data using his/her secret key, as depicted by arrow 46.
In the following, an example CP-ABPRE scheme is described. This example scheme comprises a number of algorithms which may be implemented on computer servers, for example using a computer program which implements the algorithm. Some of these algorithms may be omitted or implemented only partly, as appropriate. Moreover, different algorithms may be arranged to be executed on different computer devices. It is also possible to distribute the operations involved in a single algorithm over a plurality of devices and/or processors. The algorithms described below include a setup algorithm, a key generation algorithm, an encryption algorithm, a re-encryption key generator (R Gen), a re-encryption algorithm, and a decryption algorithm. Modifications of these algorithms are possible, the specific examples described below are not limiting.
Setup. The setup algorithm selects a bilinear group G0 of prime order p and generator g , and a bilinear map e : G0 xG0— » GL . Next to this, the setup generates the list of attributes in the system Ω = {<¾ , a2 , ... , ak } , picks randomly , β , /, xl , x2 , · · · , xk e Z , and sets
Tj = g ' (1 < j < k) . The public key is published as:
Figure imgf000016_0001
The master secret key consists of the following components:
ΜΚ = (α, β , , {χ .}^).
· KeyGeneration(MK,co). The key generation algorithm takes as input the master secret key MK and an attribute set CO , wherein (fl c O . For each user the algorithm picks at random r e Zf and computes a secret key SKffl which comprises the following components:
Figure imgf000016_0002
· Encryption(m, pl , PK) . To encrypt a message m e G l , under the access policy pl over the set of available attributes Ω , the encryption algorithm picks a random value s e Zp , and assigns st values (which are shares of s ) to attributes in pl in the following fashion:
1. The encrypter transforms the access policy into an access tree where the interior nodes represent AND or OR boolean operators, and leaf nodes represent the actual attributes appearing in the policy. Note that the policy may have the form of an expression including AND and/or OR operators, to indicate valid combinations of attributes which are sufficient to be allowed access.
2. It assigns the value s to the root node.
3. Use, for example, the Benaloh and Leichter (Josh Benaloh and Jerry Leichter,
"Generalized Secret Sharing and Monotone Functions, Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 27-35, 1990) secret sharing scheme to assign values ^to leaf nodes (attributes) in the following fashion. Recursively, for each un-assigned non-leaf node, it does the following: a) If the node is AND , it assigns a share to each child node, such that the sum of all shares is s . Mark this node as assigned.
b) If the node is OR , it assigns the same value s to each child. Mark this node as assigned.
The resulting ciphertext may comprise the following components:
Figure imgf000017_0001
RKGen(SKffl , p p2 , PK) : The algorithm outputs a re-encryption key which is used by the re-encryption algorithm to transform the ciphertext associated with pl into a ciphertext associated with p2 . The algorithm first parses , picks at
Figure imgf000017_0002
random and computes the re-encryption key which may
Figure imgf000017_0004
Figure imgf000017_0003
comprise the following components:
Figure imgf000017_0005
, and computes the
Figure imgf000017_0006
following:
In a first step, for every attribute a . e ω , it computes the following:
Figure imgf000017_0007
In a second step, it computes the following:
Figure imgf000017_0008
- In a third step, it computes the following:
Figure imgf000017_0009
Figure imgf000018_0003
In a fourth step, it computes the following:
Figure imgf000018_0004
The algorithm outputs the re-encrypted ciphertext, which may comprise the following components:
Figure imgf000018_0005
Decryption( , SK ) : The decryption algorithm takes as input the ciphertext C and decryption key SK . It checks if the secret key SK associated with the attribute set i
CO satisfies the access policy pt . If not, it may output an error symbol _L , or unusable output. If CO satisfies the access policy pt and C is a regular (not re-encrypted) ciphertext, then the i
decryption algorithm performs the following:
In a first step, the algorithm chooses the smallest subset
Figure imgf000018_0007
which satisfies the access policy pt and parses , and SKm as
Figure imgf000018_0006
Figure imgf000018_0001
In a second step, for every attribute a . e ω' , it computes
Figure imgf000018_0002
In a third step, it computes
Figure imgf000018_0008
In a fourth step, the message is obtained by computing
Figure imgf000018_0009
If CO satisfies the access policy pt and C is a re-encrypted ciphertext, then i
the decryption algorithm performs the following:
* In a first step, it parses
Figure imgf000018_0010
* In a second step, it recovers the message in the following way:
Figure imgf000019_0001
It will be appreciated that the invention also applies to computer programs, particularly computer programs on or in a carrier, adapted to put the invention into practice. The program may be in the form of a source code, an object code, a code intermediate source and object code such as in a partially compiled form, or in any other form suitable for use in the implementation of the method according to the invention. It will also be appreciated that such a program may have many different architectural designs. For example, a program code implementing the functionality of the method or system according to the invention may be sub-divided into one or more sub-routines. Many different ways of distributing the functionality among these sub-routines will be apparent to the skilled person. The
sub-routines may be stored together in one executable file to form a self-contained program. Such an executable file may comprise computer-executable instructions, for example, processor instructions and/or interpreter instructions (e.g. Java interpreter instructions). Alternatively, one or more or all of the sub-routines may be stored in at least one external library file and linked with a main program either statically or dynamically, e.g. at run-time. The main program contains at least one call to at least one of the sub-routines. The sub-routines may also comprise function calls to each other. An embodiment relating to a computer program product comprises computer-executable instructions corresponding to each processing step of at least one of the methods set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically. Another embodiment relating to a computer program product comprises computer-executable instructions corresponding to each means of at least one of the systems and/or products set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically.
The carrier of a computer program may be any entity or device capable of carrying the program. For example, the carrier may include a storage medium, such as a ROM, for example, a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example, a floppy disc or a hard disk. Furthermore, the carrier may be a transmissible carrier such as an electric or optical signal, which may be conveyed via electric or optical cable or by radio or other means. When the program is embodied in such a signal, the carrier may be constituted by such a cable or other device or means. Alternatively, the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted to perform, or used in the performance of, the relevant method. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the verb "comprise" and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. The article "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

CLAIMS:
1. A ciphertext-policy attribute-based encryption system, comprising a re-encrypter (9) for cryptographically transforming a first ciphertext (CTpi) associated with a first access policy (PI) into a second ciphertext (CTP2) associated with a second access policy (P2) by means of a re-encryption key (RK).
2. The system according to claim 1, wherein a ciphertext associated with an access policy can be decrypted by means of a decryption key associated with an attribute set satisfying that access policy.
3. The system according to claim 1, further comprising a re-encryption key generator (7) for generating the re-encryption key (RK), wherein the re-encryption key (RK) enables the re-encrypter (9) to cryptographically transform the first ciphertext (CTpi) associated with the first access policy (PI) into the second ciphertext (CTP2) associated with the second access policy (P2).
4. The system according to claim 3, wherein the re-encryption key generator (7) comprises a subsystem for encrypting a value derived from a pseudorandom number, thereby generating a further ciphertext associated with the second access policy (P2), the
re-encryption key generator (7) being arranged for including a representation of the further ciphertext in the re-encryption key.
5. The system according to claim 4, wherein the re-encrypter (9) is arranged for including a representation of the further ciphertext in the second ciphertext (CTp2).
6. The system according to claim 3, wherein the re-encryption key generator (7) is arranged for including in the re-encryption key (RK) an at least partly obfuscated representation of part of a decryption key (SKo) associated with an attribute set (ω) satisfying the first access policy (PI).
7. The system according to claim 1, wherein the re-encrypter (9) is arranged for bilinear pairing of at least part of the re-encryption key (RK) and at least part of the first ciphertext (CTPi).
5 8. The system according to claim 1, further comprising a decrypter (6) for
decrypting the second ciphertext (CTP2) by means of a decryption key (SKo) associated with an attribute set (ω) satisfying the second access policy (P2).
9. The system according to claim 8, wherein the decrypter (6) comprises:
10 - a subsystem for extracting the further ciphertext from the second ciphertext
(CTP2);
a subsystem for decrypting the further ciphertext by means of the decryption key (SKo) to obtain the value; and
a subsystem for decrypting the message stored in the second ciphertext (CTP2) 15 based on the value.
10. The system according to claim 1, further comprising:
a key generator (3) for receiving an attribute set (ω) of at least one attribute and outputting a decryption key (SKco) associated with the attribute set (co); and
20 - an encrypter (5) for generating the ciphertext (CTpi) associated with the first access policy (PI), wherein the ciphertext (CTPi) comprises an encryption of a message and the ciphertext (CTPi) can be decrypted by means of a decryption key (SKo) associated with an attribute set (ω) satisfying the first access policy (PI).
25 11. A re-encryption key generator (7) for use in the system according to claim 1 , the re-encryption key generator being arranged for generating a re-encryption key (RK), wherein the re-encryption key (RK) enables a re-encrypter (9) to cryptographically transform a first ciphertext (CTPi) associated with a first access policy (PI) into a second ciphertext (CTP2) associated with a second access policy (P2).
30
12. A workstation comprising the system according to claim 1 or the re-encryption key generator according to claim 11.
13. The workstation according to claim 12, wherein the workstation is a medical workstation.
14. A method of ciphertext-policy attribute-based re-encryption, comprising cryptographically transforming (27) a first ciphertext (CTpi) associated with a first access policy (PI) into a second ciphertext (CTP2) associated with a second access policy (P2) by means of a re-encryption key (RK).
15. A computer program product comprising instructions for causing a processor system to perform the method according to claim 14.
PCT/IB2010/054581 2009-10-15 2010-10-11 Ciphertext-policy attribute-based encryption and re-encryption WO2011045723A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP09173141.4 2009-10-15
EP09173141 2009-10-15

Publications (1)

Publication Number Publication Date
WO2011045723A1 true WO2011045723A1 (en) 2011-04-21

Family

ID=43413533

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2010/054581 WO2011045723A1 (en) 2009-10-15 2010-10-11 Ciphertext-policy attribute-based encryption and re-encryption

Country Status (1)

Country Link
WO (1) WO2011045723A1 (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916954A (en) * 2012-10-15 2013-02-06 南京邮电大学 Attribute-based encryption cloud computing safety access control method
WO2013027206A1 (en) * 2011-08-24 2013-02-28 Ben-Gurion University Of The Negev Research & Development Authority A method for attribute based broadcast encryption with permanent revocation
CN103346999A (en) * 2013-05-28 2013-10-09 北京航空航天大学 NOT operational character supported characteristic-based CP-ABE method having CCA security
CN103618728A (en) * 2013-12-04 2014-03-05 南京邮电大学 Attribute-based encryption method for multiple authority centers
CN103618609A (en) * 2013-09-09 2014-03-05 南京邮电大学 User timely revocation method based on attribute-based encryption in cloud environment
WO2014027263A3 (en) * 2012-08-17 2014-04-10 Koninklijke Philips N.V. Attribute-based encryption
CN103747279A (en) * 2013-11-18 2014-04-23 南京邮电大学 Cloud storage and sharing coded video encryption and access control strategy updating method
CN104022869A (en) * 2014-06-17 2014-09-03 西安电子科技大学 Fine-grained data access control method based on fragmenting of secret keys
US20150180661A1 (en) * 2012-08-08 2015-06-25 Kabushiki Kaisha Toshiba Re-encryption key generator, re-encryption device, encryption device, decryption device, and program
CN104871477A (en) * 2013-01-16 2015-08-26 三菱电机株式会社 Encryption system, re-encryption key generation device, re-encryption device, encryption method and encryption program
CN105025012A (en) * 2015-06-12 2015-11-04 深圳大学 An access control system and an access control method thereof oriented towards a cloud storage service platform
US20160055347A1 (en) * 2014-08-19 2016-02-25 Electronics And Telecommunications Research Institute Data access control method in cloud
US9374373B1 (en) 2015-02-03 2016-06-21 Hong Kong Applied Science And Technology Research Institute Co., Ltd. Encryption techniques for improved sharing and distribution of encrypted content
CN105850071A (en) * 2014-01-14 2016-08-10 三菱电机株式会社 Crypt-system, re-encryption key generation apparatus, re-encryption apparatus, and crypt-program
CN103618609B (en) * 2013-09-09 2016-11-30 南京邮电大学 Timely user's cancelling method based on the encryption of attribute base under a kind of cloud environment
KR101701052B1 (en) * 2015-08-26 2017-01-31 동국대학교 경주캠퍼스 산학협력단 Information security method in environment of internet of things and information security system using the method
JPWO2016103960A1 (en) * 2014-12-25 2017-11-16 国立大学法人 東京大学 Control device, statistical analysis device, decoding device, and transmission device
CN109819323A (en) * 2019-01-24 2019-05-28 中国电影科学技术研究所 A kind of video content access method in mixing cloud system
CN109934599A (en) * 2019-03-20 2019-06-25 众安信息技术服务有限公司 Source tracing method based on block chain and device of tracing to the source
US10659222B2 (en) 2017-04-28 2020-05-19 IronCore Labs, Inc. Orthogonal access control for groups via multi-hop transform encryption
WO2020240630A1 (en) * 2019-05-24 2020-12-03 三菱電機株式会社 Re-encryption device, re-encryption method, re-encryption program and cryptosystem
US10979401B2 (en) 2015-12-18 2021-04-13 Samsung Electronics Co., Ltd. Apparatus and method for sharing personal electronic-data of health
CN113127927A (en) * 2021-04-27 2021-07-16 泰山学院 Attribute reconstruction encryption method and system for license chain data sharing and supervision
CN115604036A (en) * 2022-12-13 2023-01-13 四川大学(Cn) Electronic medical record privacy protection system and method based on improved CP-ABE

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
GOYAL ET AL: "Attribute-based encryption for fine-grained access control of encrypted data", ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, CCS 2006, 30 October 2006 (2006-10-30) - 3 November 2006 (2006-11-03), XP040050996 *
J. BETHENCOURT; A. SAHAI; B. WATERS: "Ciphertext-Policy Attribute-Based Encryption", PROCEEDINGS OF THE 2007 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 2007, pages 321 - 334, XP031097141
JOSH BENALOH; JERRY LEICHTER: "Generalized Secret Sharing and Monotone Functions, Advances in Cryptology - CRYPTO '88", LNCS, vol. 403, 1990, pages 27 - 35
LIANG ET AL: "Attribute Based Proxy Re-encryption with Delegating Capabilities", ACM SYMPOSIUM ON INFORMATION, COMPUTER AND COMMUNICATIONS SECURITY, ASIACCS'09, 10 March 2009 (2009-03-10) - 12 March 2009 (2009-03-12), Sydney, Autralia, pages 276 - 286, XP040465600, DOI: 10.1145/1533057.1533094 *
SHUCHENG YU ET AL: "Attribute-based content distribution with hidden policy", SECURE NETWORK PROTOCOLS, 2008. NPSEC 2008. 4TH WORKSHOP ON, IEEE, PISCATAWAY, NJ, USA, 19 October 2008 (2008-10-19), pages 39 - 44, XP031356491, ISBN: 978-1-4244-2651-5, DOI: DOI:10.1109/NPSEC.2008.4664879 *

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013027206A1 (en) * 2011-08-24 2013-02-28 Ben-Gurion University Of The Negev Research & Development Authority A method for attribute based broadcast encryption with permanent revocation
US9413528B2 (en) 2011-08-24 2016-08-09 Ben-Gurion University Of The Negev Research And Development Authority Method for attribute based broadcast encryption with permanent revocation
EP2748964A4 (en) * 2011-08-24 2015-07-08 Univ Ben Gurion A method for attribute based broadcast encryption with permanent revocation
US9819487B2 (en) 2012-08-08 2017-11-14 Kabushiki Kaisha Toshiba Re-encryption key generator, re-encryption device, encryption device, decryption device, and program
EP2884690A4 (en) * 2012-08-08 2016-03-09 Toshiba Kk Re-encryption key generation device, re-encryption device, encryption device, decryption device, and program
US20150180661A1 (en) * 2012-08-08 2015-06-25 Kabushiki Kaisha Toshiba Re-encryption key generator, re-encryption device, encryption device, decryption device, and program
JP2015524945A (en) * 2012-08-17 2015-08-27 コーニンクレッカ フィリップス エヌ ヴェ Attribute-based encryption
US9800555B2 (en) 2012-08-17 2017-10-24 Koninklijke Philips N.V. Attribute-based encryption
WO2014027263A3 (en) * 2012-08-17 2014-04-10 Koninklijke Philips N.V. Attribute-based encryption
CN104620535A (en) * 2012-08-17 2015-05-13 皇家飞利浦有限公司 Attribute-based encryption
CN102916954A (en) * 2012-10-15 2013-02-06 南京邮电大学 Attribute-based encryption cloud computing safety access control method
EP2947810A4 (en) * 2013-01-16 2016-08-31 Mitsubishi Electric Corp Encryption system, re-encryption key generation device, re-encryption device, encryption method and encryption program
CN104871477B (en) * 2013-01-16 2018-07-10 三菱电机株式会社 Encryption system, re-encrypted private key generating means, re-encryption device, encryption method
CN104871477A (en) * 2013-01-16 2015-08-26 三菱电机株式会社 Encryption system, re-encryption key generation device, re-encryption device, encryption method and encryption program
CN103346999A (en) * 2013-05-28 2013-10-09 北京航空航天大学 NOT operational character supported characteristic-based CP-ABE method having CCA security
CN103346999B (en) * 2013-05-28 2016-06-15 北京航空航天大学 A kind of NOT of support operator also has the CP-ABE method of CCA safety
CN103618609A (en) * 2013-09-09 2014-03-05 南京邮电大学 User timely revocation method based on attribute-based encryption in cloud environment
CN103618609B (en) * 2013-09-09 2016-11-30 南京邮电大学 Timely user's cancelling method based on the encryption of attribute base under a kind of cloud environment
CN103747279A (en) * 2013-11-18 2014-04-23 南京邮电大学 Cloud storage and sharing coded video encryption and access control strategy updating method
CN103618728A (en) * 2013-12-04 2014-03-05 南京邮电大学 Attribute-based encryption method for multiple authority centers
CN105850071A (en) * 2014-01-14 2016-08-10 三菱电机株式会社 Crypt-system, re-encryption key generation apparatus, re-encryption apparatus, and crypt-program
EP3096487A4 (en) * 2014-01-14 2017-09-06 Mitsubishi Electric Corporation Crypt-system, re-encryption key generation apparatus, re-encryption apparatus, and crypt-program
CN105850071B (en) * 2014-01-14 2019-06-25 三菱电机株式会社 Encryption system, re-encrypted private key generating means and re-encryption device
CN104022869B (en) * 2014-06-17 2017-03-29 西安电子科技大学 Data fine-grained access control method based on key burst
CN104022869A (en) * 2014-06-17 2014-09-03 西安电子科技大学 Fine-grained data access control method based on fragmenting of secret keys
US20160055347A1 (en) * 2014-08-19 2016-02-25 Electronics And Telecommunications Research Institute Data access control method in cloud
US9646168B2 (en) * 2014-08-19 2017-05-09 Electronics And Telecommunications Research Institute Data access control method in cloud
JPWO2016103960A1 (en) * 2014-12-25 2017-11-16 国立大学法人 東京大学 Control device, statistical analysis device, decoding device, and transmission device
US9374373B1 (en) 2015-02-03 2016-06-21 Hong Kong Applied Science And Technology Research Institute Co., Ltd. Encryption techniques for improved sharing and distribution of encrypted content
CN105025012B (en) * 2015-06-12 2017-12-08 深圳大学 Towards the access control system and its access control method of cloud storage service platform
CN105025012A (en) * 2015-06-12 2015-11-04 深圳大学 An access control system and an access control method thereof oriented towards a cloud storage service platform
KR101701052B1 (en) * 2015-08-26 2017-01-31 동국대학교 경주캠퍼스 산학협력단 Information security method in environment of internet of things and information security system using the method
US10979401B2 (en) 2015-12-18 2021-04-13 Samsung Electronics Co., Ltd. Apparatus and method for sharing personal electronic-data of health
US11909868B2 (en) 2017-04-28 2024-02-20 IronCore Labs, Inc. Orthogonal access control for groups via multi-hop transform encryption
US10659222B2 (en) 2017-04-28 2020-05-19 IronCore Labs, Inc. Orthogonal access control for groups via multi-hop transform encryption
US11146391B2 (en) 2017-04-28 2021-10-12 IronCore Labs, Inc. Orthogonal access control for groups via multi-hop transform encryption
CN109819323A (en) * 2019-01-24 2019-05-28 中国电影科学技术研究所 A kind of video content access method in mixing cloud system
CN109819323B (en) * 2019-01-24 2020-12-29 中国电影科学技术研究所 Video content access method in mixed cloud system
CN109934599A (en) * 2019-03-20 2019-06-25 众安信息技术服务有限公司 Source tracing method based on block chain and device of tracing to the source
WO2020240630A1 (en) * 2019-05-24 2020-12-03 三菱電機株式会社 Re-encryption device, re-encryption method, re-encryption program and cryptosystem
JPWO2020240630A1 (en) * 2019-05-24 2021-10-21 三菱電機株式会社 Re-encrypting device, re-encrypting method, re-encrypting program and cryptosystem
CN113127927A (en) * 2021-04-27 2021-07-16 泰山学院 Attribute reconstruction encryption method and system for license chain data sharing and supervision
CN115604036A (en) * 2022-12-13 2023-01-13 四川大学(Cn) Electronic medical record privacy protection system and method based on improved CP-ABE

Similar Documents

Publication Publication Date Title
WO2011045723A1 (en) Ciphertext-policy attribute-based encryption and re-encryption
Samanthula et al. A secure data sharing and query processing framework via federation of cloud computing
EP2756627B1 (en) Hierarchical attribute-based encryption and decryption
Ibraimi et al. Secure management of personal health records by applying attribute-based encryption
Ruj et al. DACC: Distributed access control in clouds
Liu et al. Dynamic access policy in cloud-based personal health record (PHR) systems
EP2885893B1 (en) Attribute-based encryption
CN113411323B (en) Medical record data access control system and method based on attribute encryption
Ibraimi et al. An encryption scheme for a secure policy updating
Florence et al. Enhanced secure sharing of PHR’s in cloud using user usage based attribute based encryption and signature with keyword search
Zhou et al. A secure role-based cloud storage system for encrypted patient-centric health records
Fugkeaw A lightweight policy update scheme for outsourced personal health records sharing
Qinlong et al. Improving security and efciency for encrypted data sharing in online social networks
Boomija et al. Securing medical data by role-based user policy with partially homomorphic encryption in AWS cloud
Gurav et al. Scalable and secure sharing of personal health records in cloud computing using attribute based encryption
Chennam et al. Cloud security in crypt database server using fine grained access control
Pareek et al. Proxy re-encryption scheme for access control enforcement delegation on outsourced data in public cloud
Routray et al. CP-ABE with hidden access policy and outsourced decryption for cloud-based EHR applications
JP2008176040A (en) Key management method, key creation method, code processing method, transfer method for decryption authority, and communication network system
Doshi et al. An enhanced scheme for PHR on cloud servers using CP-ABE
Ghoubach et al. Efficient and secure data sharing with outsourced decryption and efficient revocation for cloud storage systems
Dong et al. P2E: privacy-preserving and effective cloud data sharing service
Bezawada et al. Attribute-Based Encryption: Applications and Future Directions
JP5366755B2 (en) Data editing system, writing device, reading device, and data editing method
Vimal Secured ABE Systems with Verifiable Outsourced Decryption

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10776163

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10776163

Country of ref document: EP

Kind code of ref document: A1